Over recent years you must upgrade your cyber risk framework to meet SEBI’s standards, ensuring operational resilience and robust client-data protection; noncompliance can lead to heavy penalties and amplified risk from data breaches. You should implement governance, continuous monitoring, and mandatory incident reporting to demonstrate due diligence and preserve market trust.

Key Takeaways:

• Board and senior management accountability: SEBI expects defined governance, clear ownership of cyber risks, and designated roles such as CISO to drive compliance and oversight.
• Documented risk-based framework: Maintain policies and controls aligned with recognised standards (ISO/NIST), covering asset classification, access management, encryption, monitoring and incident response.
• Incident detection, response and reporting: Implement detection and forensic capabilities, formal response plans, and timely reporting to SEBI/other authorities as required by regulation.
• Third-party and supply-chain controls: Conduct due diligence, enforce contractual security requirements, monitor vendor performance, and assess cloud/service-provider risks regularly.
• Ongoing testing, audits and training: Perform regular vulnerability assessments, penetration testing and audits, maintain business continuity/disaster recovery plans, and provide role-based employee training to demonstrate compliance and reduce enforcement risk.

SEBI regulatory framework and scope

SEBI’s cyber framework targets market infrastructure and intermediaries-exchanges, depositories, clearing corporations, registrars, brokers, AMCs and mutual funds-and expects you to align governance, resilience and reporting with regulator-specific directions and circulars. The framework stresses board accountability, mandatory incident reporting, third‑party risk controls and periodic assurance, so your compliance program must map SEBI provisions against existing RBI/IRDAI expectations and evidence continuous monitoring and improvement.

Covered entities, applicability and timelines

SEBI applies the directions to primary market participants and regulated intermediaries, with applicability often tied to systemic role and transaction volumes; for instance, exchanges and depositories face the tightest requirements. You’ll typically see phased timelines-ranging from a few months for high‑impact entities to up to a year for smaller intermediaries-so prioritize remediation by impact and maintain documentation of milestone compliance.

Core obligations under SEBI directions and related circulars

Key obligations require you to implement a board‑approved cyber policy, maintain an incident response and reporting mechanism, conduct regular VAPT and security assessments, manage third‑party risks, and ensure staff awareness and role‑based access controls. SEBI emphasizes timely incident reporting and demonstrable periodic assurance, so you must operationalize controls, logging, and evidence trails for audits and regulatory queries.

Practically, that means at least annual VAPT, quarterly vulnerability scans, 24×7 SOC or MDR arrangements for critical entities, periodic tabletop exercises and documented third‑party due diligence. You should encrypt sensitive data, enforce segregation of duties, keep audit logs immutable, and integrate SIEM/SOAR for faster detection; failure to report or remediate can trigger regulatory investigations and enforcement actions, so treat these measures as operational imperatives.

Governance and accountability

You must embed cyber risk into corporate governance with a documented risk appetite, defined KPIs and a clear escalation path. Adopt a three‑lines‑of‑defense approach, require quarterly board reporting on high‑risk items, and tie cyber outcomes to executive performance where appropriate. Use dashboards that track open high‑risk findings, patch compliance and MTTR, and ensure board minutes record approvals for major security investments and residual risk acceptance.

Board, senior management and CISO responsibilities

You should have the board set strategy and oversight, senior management fund and implement controls, and the CISO run day‑to‑day defence and assurance. Require the CISO to report to the board at least quarterly, own the incident response plan, and publish metrics such as incident counts, containment time and patch compliance. Grant the CISO direct CEO access, authority over vendor security, and KPIs like MTTR under 4 hours for critical incidents.

Policies, committees and internal control frameworks

You need a concise policy inventory mapped to SEBI expectations and standards like ISO 27001 or NIST CSF. Stand up an IT steering committee for strategy, an incident response committee for urgent remediation, and a third‑party risk committee for vendor oversight. Policies must define roles, escalation timelines and testing cadence, with named control owners and mandatory annual reviews.

Operationalize policies with a formal lifecycle-drafting, legal review, board approval, training and testing-and maintain a RACI for segregation of duties. Conduct biannual tabletop exercises capturing lessons learned, keep a third‑party register that rates your top 10 vendors annually, and deploy SIEM/SOAR for continuous monitoring so suspected material breaches are escalated within one hour to senior management.

Risk assessment and controls

You must run continuous risk assessments combining annual enterprise reviews with quarterly vulnerability scans and threat-intel feeds; apply CVSS and business-impact mapping so you can prioritize remediation where it matters most. For example, establish a policy to patch vulnerabilities with CVSS ≥7 within 30 days. Historical failures like Equifax’s unpatched Apache Struts show how a single unaddressed flaw can cause multi-million-dollar fallout.

Asset classification, threat modelling and risk scoring

You need a live asset inventory tagged by criticality (1-5) and data sensitivity, with owners and data-flow diagrams. Use STRIDE or attack trees on your top 20 business processes, then score risk as likelihood×impact, applying CVSS and annualized loss expectancy (ALE). Treat trading/settlement systems as level 1, enforce redundancy and an RTO under 1 hour for those assets.

Technical and operational controls (access, encryption, segmentation)

You must enforce role-based access, least privilege, and MFA for all privileged accounts, preferring hardware tokens for admins. Encrypt data in transit (TLS 1.2/1.3) and at rest (AES-256) with keys in a KMS rotated every 90 days. Segment networks with VLANs/DMZs and microsegmentation to isolate internet-facing apps and payment rails, and operate weekly or expedited critical-patch cycles.

You should deploy PAM with session recording and just-in-time access to remove standing admin credentials, and integrate EDR, IDS/IPS, and SIEM to correlate alerts and lower mean time to detect. Segment production trading engines into strictly firewalled zones-SWIFT Bangladesh’s 2016 breach exemplifies how weak segmentation enables lateral movement. Require quarterly penetration tests and validate controls with post-patch regression testing; weekly critical-patch cycles keep your exposure window narrow.

Incident preparedness and reporting

You must maintain an incident playbook mapped to SEBI classifications, a live contact tree for exchanges, CERT-In and law enforcement, and pre-negotiated MSSP/forensic vendor SLAs. Run tabletop exercises quarterly and full-scale drills annually, preserve WORM logs for at least 90 days, and keep a prioritized list of top-10 business-impact scenarios so you can detect, contain and notify within regulator windows.

Incident response plans, testing and forensics

Your response plan should define roles (CISO, legal, PR, ops), RTO/RPO targets (e.g., RTO ≤4 hours for critical systems), chain-of-custody procedures and live-forensic capabilities. Test playbooks against ransomware and insider-exfiltration scenarios; perform quarterly tabletop runs and an annual red-team exercise. Ensure forensic images, hash manifests and IOC export are ready to hand over to investigators to avoid evidence loss.

Mandatory reporting timelines, formats and remediation expectations

You need to be able to issue a preliminary notification within a regulatory window (commonly 6-24 hours) and submit a detailed incident report within 72 hours, with an interim remediation plan and milestones. Reports should include impact metrics (records affected, monetary loss estimate), IOCs, containment steps and a timeline for full recovery; failure to meet timelines can invite fines and escalation to exchanges and CERT-In.

Prepare regulator-ready templates in advance: an executive summary, technical annex with IOC lists (hashes, IPs, domains), forensic timeline and a remediation roadmap with clear deadlines (e.g., 7/30/90 days). Maintain a log of communications, ticketed remediation tasks and attestation evidence for fixes. Use standardized formats (CSV/JSON for IOC tables, PDF for executive reports) to speed submissions and reduce back-and-forth with SEBI, exchanges and CERT-In.

Third‑party, outsourcing and supply‑chain risk

You must map every outsourced function by impact and data sensitivity, linking vendors to specific SEBI controls and incident playbooks. Prioritize suppliers that handle customer funds or personal data, since supply‑chain attacks like SolarWinds showed how a trusted vendor can expose your entire estate. Maintain an inventory with refresh cycles, risk ratings and documented mitigation for any supplier deemed high‑impact.

Vendor due diligence, contractual safeguards and SLA requirements

Conduct technical and financial due diligence: request SOC 2/ISO 27001 reports, recent penetration test results and vulnerability remediation timelines. Insist on contractual rights to audit, data‑localization clauses, encryption standards and breach notification within 2 hours. Set SLAs with measurable RTO/RPO (e.g., RTO ≤ 4 hours, RPO ≤ 1 hour for critical services), uptime targets and liquidated damages for non‑performance.

Continuous monitoring, concentration risk and exit planning

Deploy continuous monitoring of vendor telemetry into your SIEM, subscribe to CVE and threat intel feeds, and use vendor scorecards to track compliance. Flag concentration when a single supplier provides >30% of critical capacity and require redundancy or backup vendors. Define exit plans with data escrow, transfer formats and validated runbooks to ensure rapid supplier replacement.

Integrate vendor logs, API health checks and SLA telemetry into automated dashboards so you detect anomalies within minutes, not days. Run quarterly tabletop exercises and annual failover drills with top vendors; aim for MTTR under 4 hours for critical incidents and contractual availability of 99.95% where appropriate. Negotiate contractual triggers-such as missed remediation windows or repeated security incidents-that allow immediate suspension, accelerated transition assistance and escrow release. Finally, diversify by region and technology (multi‑cloud or secondary suppliers) and require monthly attestations for high‑risk vendors to reduce single‑point failures and speed exit execution.

Monitoring, compliance, metrics and enforcement

You must run continuous monitoring through SIEM, endpoint telemetry and automated threat feeds, retain logs for at least 12 months, and formalize weekly exception reviews with board-level escalation for high-severity events. Use dashboards that surface MTTD/MTTR trends, patch compliance and third-party risk scores so you can demonstrate improvement over time. Noncompliance invites supervisory action, so align operational metrics to regulatory expectations and audit schedules.

KPIs, audits, penetration testing and compliance evidence

Track KPIs such as MTTD <24 hours, MTTR <72 hours, percent of critical vulnerabilities remediated within 30 days, and quarterly vulnerability-scan coverage. Conduct annual penetration testing and post-change tests after major deployments. Compile test reports, remediation tickets, SOC/ISO certifications and signed attestations as compliance evidence so auditors see a clear chain from finding to closure.

Disclosure obligations, regulatory inspections and penalties

You must maintain an incident register, follow your IRP for regulator and stakeholder notifications, and prepare forensic and remediation reports for inspections. Expect SEBI and supervisory teams to request documentation during on-site reviews, and know that failures in timely disclosure or evidence can lead to enforcement actions including directions, restrictions or fines.

When a material incident occurs, you should immediately record timeline, impacted services and containment steps, then produce a root-cause analysis and remediation plan for inspectors. Practical examples: provide raw logs, hash lists, pen-test re-testing proof and third-party attestations; furnish both executive summaries for the board and technical annexes for investigators. Maintaining a foldered evidence trail reduces dispute and speeds regulatory closeout.

Conclusion

As a reminder, you must ensure your cyber risk management complies with SEBI requirements: establish clear governance and board accountability, perform regular risk assessments and testing, enforce vendor oversight and data-protection controls, maintain documented incident-response and timely reporting processes, and provide continuous monitoring and staff training so your firm meets disclosure, audit and regulatory obligations while protecting customers and market integrity.

FAQ

Q: What governance and organisational requirements does SEBI expect from financial entities for cyber risk management?

A: SEBI expects board-level oversight and clear accountability for cyber risk (typically via a designated senior official such as a CISO/CRO), a formal cyber security and resilience policy, and integration of cyber risk into enterprise risk management. Entities must perform regular risk assessments, maintain asset and data classification inventories, enforce access controls and encryption, implement logging and monitoring, run vulnerability management and patching programs, conduct periodic penetration testing and DR/BCP exercises, and document roles, responsibilities and KPIs. Third-party/vendor risk management with contractual security obligations and periodic vendor reviews is required. Requirements vary by entity type, so map obligations to applicable SEBI circulars and relevant sectoral rules.

Q: What are the steps and reporting obligations after a cyber security incident under SEBI-related frameworks?

A: Activate the incident response plan immediately: contain and remediate, preserve forensic evidence, perform root-cause analysis, and restore operations per BCP. Notify internal stakeholders and the board, then report to regulators and stakeholders as required by SEBI guidance and other applicable laws (including stock exchanges, depositories and national incident response bodies) within the timelines specified in the relevant circulars. Prepare a detailed post-incident report outlining timeline, impact, affected data, remedial measures and future mitigations. Coordinate with law enforcement where appropriate, ensure regulatory disclosures for listed entities, and maintain an incident register for audit and compliance purposes.

Q: What ongoing controls, assurance activities and documentation help demonstrate compliance to SEBI and reduce supervisory risk?

A: Maintain a program of continuous monitoring (SOC), periodic third-party and internal audits, annual attestation against SEBI requirements, regular penetration testing and tabletop exercises, and a documented vulnerability management lifecycle. Keep comprehensive documentation: cyber policy, risk assessments, incident logs, audit reports, vendor due-diligence records, training records and board-level reporting. Conduct gap assessments after regulatory updates, implement prioritized remediation plans, and use independent assurance (external audits or certifications) to evidence compliance. Consider cyber insurance and contractual risk transfer, and ensure legal/compliance teams track SEBI circulars and maintain a compliance calendar for reporting deadlines.